Syslog messages not appearing

[Alex Martin]

Hello,

I have set up two wazuh ossec servers from the latest sources running on centos 7.3, following the previously posted instruction for ELK 5.x.

All is fine sending from the agents. However, I can't seem to get syslog from network devices to actually appear in kibana or any of the logs. 

On the server, the conf file /var/ossec/etc/ossec.conf contains (x'd IPs):

  <remote>

    <connection>syslog</connection>

    <port>514</port>

    <local_ip>x.x.x.x</local_ip>

    <protocol>udp</protocol>

    <allowed-ips>x.x.0.x/24</allowed-ips>

    <allowed-ips>x.x.1.x/24</allowed-ips>

    <allowed-ips>x.x.x.x</allowed-ips>

  </remote>

The clients (pfsense, switches) have the local_ip above set as the syslog server.

I have enabled the debug, not really much indicated there. The process is listening on port 514:

udp    UNCONN     0      0      <local_ip>:514                   *:*                   users:(("ossec-remoted",pid=26362,fd=4))

udp    UNCONN     0      0      <local_ip>:1514                  *:*                   users:(("ossec-remoted",pid=26363,fd=4))

Strace'ing the process shows a wait file might be missing? 

strace -p 26362

Process 26362 attached

recvfrom(4, "<134>Mar 10 12:23:04 filterlog: "..., 1024, 0, {sa_family=AF_INET, sin_port=htons(514), sin_addr=inet_addr("x.x.x.202")}, [16]) = 157

stat("/queue/ossec/.wait", 0x7fff574957a0) = -1 ENOENT (No such file or directory)

sendto(5, "2:x.x.x.202:Mar 10 12:23:04 fil"..., 166, 0, NULL, 0) = 166

recvfrom(4, "<134>Mar 10 12:23:04 filterlog: "..., 1024, 0, {sa_family=AF_INET, sin_port=htons(514), sin_addr=inet_addr("x.x.x.202")}, [16]) = 157

stat("/queue/ossec/.wait", 0x7fff574957a0) = -1 ENOENT (No such file or directory)

sendto(5, "2:x.x.x.202:Mar 10 12:23:04 fil"..., 166, 0, NULL, 0) = 166

recvfrom(4, "<134>Mar 10 12:23:04 filterlog: "..., 1024, 0, {sa_family=AF_INET, sin_port=htons(514), sin_addr=inet_addr("x.x.x.254")}, [16]) = 158

stat("/queue/ossec/.wait", 0x7fff574957a0) = -1 ENOENT (No such file or directory)

Does anyone have any ideas at all? Starting to pull hairs out! 

Many thanks

Alex

[Alex Martin]

Nevermind, the 'no such file or directory' message was a red herring, turns out my rules weren't correct!

Sorry guys for the spam.

Thanks

Alex

[Pedro Sanchez]

Hi Alex,

Happy to know you found your issue.

Just as a recommendation, you could log everything, no matters if there are rule matching for those events or not, that is a good way to inspect incoming log from external syslog devices.

Enable "<logall>" / "<logall_json>" setting in section "<global>" in Wazuh manager, that will create a file archives.json/archives.log.

Regards,

Pedro Sanchez.

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+unsubscribe@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/01d1b388-f924-4c37-805f-0898ad0f5924%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

[Joe Kingston]

How did you fix this problem? Am I not seeing any logs from pfSense to WAZUH? 

Thanks

[francisco...@wazuh.com]

Hi Joe,

at the moment, there are no pfSense rules in Wazuh's default ruleset, but a Pull Request to add them is active: https://github.com/wazuh/wazuh-ruleset/blob/bd3619f6cd746d9dfa0d760b37a7b14548b3fc2b/rules/0540-pfsense_rules.xml

You can just add them to a file called 0540-pfsense_rules.xml in /var/ossec/ruleset/rules/ and restarting Wazuh. 

Please note that if you're about to create new rules made by you(apart from the included in the previous link), you should add them in an additional file in /var/ossec/etc/rules/, in order to prevent the new rules to be overwritten in a future update. This is explained here: https://documentation.wazuh.com/3.x/user-manual/ruleset/custom.html

Also, if you don't have the latest version of Wazuh installed, you should also check if the pfSense decoders are present in /var/ossec/ruleset/decoders/. 

I hope it helps, and please don't hesitate to ask any further question or problem you may have.

Regards,

Fran G.